b'                                                          .".\\.       SECU\n\n                                                        O(j~~\n\n                                                   W/ts~~\n\n\n                                                   \'\\             1II1III    ~~\n                                                             "",ISTi-t"\n\n\n\n                                       SOOAL                      SECURITY\n\n\n\n                                         Office of the Inspector General\nMEMORANDUM\nDate:   March        30,    2001                                                   ReferTo:\n        Larry G. Massanari\nTo:     Acting Commissioner\n\n          of Social         Security\n\n\n        I nspector         General\n\n\n\n\nSubject:Information Technology Capital Planning and Investment Control Process at the Social\n        Security Administration (A-14-99-12004)\n\n\n        Attached is a copy of our final report. Our objective was to evaluate the Social Security\n        Administration\'s (SSA) information technology (IT) capital planning and investment\n        control process for\'compliance with the Clinger-Cohen Act of 1996 (CCA). Overall, we\n        found that SSA\'s IT capital planning and investment process did not fully support a\n        capital planning and investment control process as envisioned by the General\n        Accounting Office and the Federal Chief Information Officer\'s Council for compliance\n        with CCA.\n\n        Please comment within 60 days from the date of this memorandum on corrective action\n        taken or planned on each recommendation. If you wish to discuss the final report,\n        please call me or have your staff contact Steven L. Schaeffer, Assistant Inspector\n        General for Audit, at (410) 965-9700.\n\n\n\n\n        Attachment\n                                                                              b~\n\x0c           OFFICE OF\n\n    THE INSPECTOR GENERAL\n\n\nSOCIAL SECURITY ADMINISTRATION\n\n\n\n      INFORMATION TECHNOLOGY\n        CAPITAL PLANNING AND\n   INVESTMENT CONTROL PROCESS\n       AT THE SOCIAL SECURITY\n           ADMINISTRATION\n\n    March 2001   A-14-99-12004\n\n\n\n\n AUDIT REPORT\n\n\x0c                                    Mission\nWe improve SSA programs and operations and protect them against fraud, waste,\nand abuse by conducting independent and objective audits, evaluations, and\ninvestigations. We provide timely, useful, and reliable information and advice to\nAdministration officials, the Congress, and the public.\n\n                                   Authority\nThe Inspector General Act created independent audit and investigative units,\ncalled the Office of Inspector General (OIG). The mission of the OIG, as spelled\nout in the Act, is to:\n\n  \xef\xbf\xbd Conduct and supervise independent and objective audits and\n    investigations relating to agency programs and operations.\n  \xef\xbf\xbd Promote economy, effectiveness, and efficiency within the agency.\n  \xef\xbf\xbd Prevent and detect fraud, waste, and abuse in agency programs and\n    operations.\n  \xef\xbf\xbd Review and make recommendations regarding existing and proposed\n    legislation and regulations relating to agency programs and operations.\n  \xef\xbf\xbd Keep the agency head and the Congress fully and currently informed of\n    problems in agency programs and operations.\n\n  To ensure objectivity, the IG Act empowers the IG with:\n\n\n  \xef\xbf\xbd Independence to determine what reviews to perform.\n\n  \xef\xbf\xbd Access to all information necessary for the reviews.\n\n  \xef\xbf\xbd Authority to publish findings and recommendations based on the reviews.\n\n\n                                     Vision\nBy conducting independent and objective audits, investigations, and evaluations,\nwe are agents of positive change striving for continuous improvement in the\nSocial Security Administration\'s programs, operations, and management and in\nour own office.\n\x0c                                       Executive Summary\nOBJECTIVE\nThe objective of this audit was to evaluate the Social Security Administration\xe2\x80\x99s (SSA)\ninformation technology (IT) capital planning and investment control process for\ncompliance with the Clinger-Cohen Act of 1996 (CCA).\n\nBACKGROUND\nCCA was enacted in August 1996 to promote improvements in the use of IT to support\nagency missions and improve agency management processes for acquiring and\nmanaging IT investments. Agency responsibilities defined in the Act include: (1) capital\nplanning and investment control; (2) performance/results-based management and\nreporting requirements; (3) appointment of an agency Chief Information Officer (CIO);\nand (4) exception reports on major IT acquisitions that have significantly deviated from\ncost, performance, or scheduled goals (see Appendix A for excerpts).\n\nIn February 1997, the General Accounting Office (GAO) issued guidance to all\nExecutive Branch agencies for evaluating IT investment decisionmaking for\nimplementing CCA and other major legislation. While the Agency is not required to, and\nhas not, adopted this guidance, the Federal CIO Counsel has endorsed this guidance\nas \xe2\x80\x9cbest practices\xe2\x80\x9d for implementing CCA (see Appendix B). The guidance provides a\nthree-phase process (Selection, Control, and Evaluation) for capital planning and IT\ninvestments.\n\nSELECTION PHASE\n\nThe goal of the Selection phase is to assess risk/return and prioritize current and\nproposed IT initiatives to create an optimal portfolio of IT initiatives. One tool for\nassessing risk is modeling.\n\nCONTROL PHASE\n\nThe goal of the Control phase is for project managers and initiative owners to\nperiodically assess the individual\xe2\x80\x99s progress against projected costs, schedule\nmilestones, and expected mission benefits. One feature of the Control phase is that the\ntracking systems must be integrated with a capital planning and investment control\nprocess.\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                 i\n\x0cEVALUATION PHASE\n\nThe goal of the Evaluation phase is to provide feedback that will lead to constant\nimprovement in the organization\xe2\x80\x99s IT investment process. During the Evaluation phase,\nthe organization will perform a post-implementation review to compare actual data with\nprojected data, including life-cycle costs and life-cycle returns.\n\nRESULTS OF REVIEW\nUsing the outline of the GAO guidance, we have organized our findings into\nthree phases.\n\nSELECTION PHASE\n\nSSA\xe2\x80\x99s Strategic Planning Process did not require a risk assessment using risk modeling\nfor proposed IT projects. Also, the Agency was not evaluating the use of decision\nsupport software (DSS) to assist in selecting the optimal portfolio of IT investments.\n\nCONTROL PHASE\n\nSSA\xe2\x80\x99s individual tracking systems were not integrated to support a capital planning and\ninvestment control process. Below are two examples of conditions demonstrating non-\nintegration.\n\n1. \t There was no IT project accountability data base (system) for capturing different\n     types of project costs, such as internal programming costs and external software\n     and hardware purchases.\n\n2. \t SSA had not monitored in-process reviews for performance. For example, SSA did\n     not perform variance analyses when cost and scheduling deviated from what was\n     expected. Since SSA was not performing a variance analysis, exception reporting to\n     management cannot be done when costs increase by 10 percent or schedules slip\n     by 6 months.\n\nEVALUATION PHASE\n\nSSA has not established a post-implementation review process (policies and\nprocedures) nor has it targeted any IT projects for post-implementation review except\nthe review of the intelligent workstation/local area network project requested by\nCongress.\n\nCONCLUSION AND RECOMMENDATIONS\nWe note that SSA had made noticeable progress toward implementing an IT capital\nplanning and investment control process, as envisioned by GAO and the Federal CIO\nCouncil. SSA\xe2\x80\x99s strengths include:\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                 ii\n\x0c\xef\xbf\xbd\t reviewing proposed IT projects against the Agency\xe2\x80\x99s mission and goals for strategic\n   effectiveness,\n\n\xef\xbf\xbd   establishing a CIO, and\n\n\xef\xbf\xbd\t requiring major IT projects to be grouped into smaller more manageable project\n   phases before full implementation.\n\nHowever, the results of our review of SSA\xe2\x80\x99s IT Capital Planning and Investment Control\nProcess and interviews with SSA personnel had identified several improvements the\nAgency needs to consider regarding its implementation of CCA. Overall, SSA\xe2\x80\x99s IT\ncapital planning and investment process did not fully support a capital planning and\ninvestment control process, as envisioned by GAO and the Federal CIO Council. SSA\nneeds to make additional Agencywide improvements, in the Selection, Control, and\nEvaluation phases of its IT investment process.\n\nWe recommend SSA:\n\nFinding 1- Selection Phase\n\n\xef\xbf\xbd\t Develop a risk model and use it in the strategic planning process for all proposed IT\n   projects. Selection criteria should include weighing risk for cost, benefits, schedule,\n   technical, etc.\n\n\xef\xbf\xbd\t Evaluate using DSS tools like Expert Choice to further assist SSA in its selection of\n   IT projects. Expert Choice allows the user to take the intangibles of decisionmaking\n   (experience, insight, and judgment) and weigh them against a customized set of\n   criteria.\n\nFinding 2 \xe2\x80\x93 Control Phase\n\n\xef\xbf\xbd\t Redesign SSA\xe2\x80\x99s Capital Planning and Investment Control Process to incorporate the\n   processes for making budget, financial and program management decisions within\n   the Agency into one integrated system. SSA could implement this recommendation\n   through the use of the Information Technology Investment Portfolio System (I-TIPS)\n   software (see Appendix C).\n\n\xef\xbf\xbd\t Design and implement an IT project accountability system that: (a) captures all\n   funds spent with budgeted cost; (b) allows expanded scheduling information like\n   expected versus actual implementation date, including milestone dates; and\n   (c) includes performance indicators like return on investment or any other benefit\n   measures.\n\n\xef\xbf\xbd\t Require benefits to be quantified and performance measures to be identified for\n   major projects in SSA\xe2\x80\x99s strategic planning guidance.\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                    iii\n\x0c\xef\xbf\xbd\t Request management information on the financial accounting of each project (spent\n   to-date and the amount remaining to be spent), milestones, and expected\n   implementation date.\n\n\xef\xbf\xbd\t Perform variance analysis and exception reporting on cost and scheduling time\n   frames.\n\nFinding 3 \xe2\x80\x93 Evaluation Phase\n\n\n\xef\xbf\xbd   Establish policies and procedures for conducting post-implementation reviews.\n\n\n\xef\xbf\xbd   Perform post-implementation reviews on appropriate IT projects.\n\n\n\nAGENCY COMMENTS\nIn response to our draft report, SSA generally agreed to explore and/or assess our\nrecommendations. Specifically, SSA plans to explore more systematic risk modeling\nprocedures for proposed IT projects by:\n\n\xef\xbf\xbd   evaluating decision support software like Expert Choice;\n\n\xef\xbf\xbd\t re-examining I-TIPS as a tool to collect, analyze and report IT project accountability\n   information;\n\n\xef\xbf\xbd\t establishing more detailed polices and procedures for conducting post-\n   implementation reviews in 2001; and\n\n\xef\xbf\xbd\t performing post-implementation reviews on appropriate IT projects. (See Appendix\n   F for SSA\xe2\x80\x99s comments.)\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                   iv\n\x0c                                                             Table of Contents\n\n                                                                                                                    Page\n\nINTRODUCTION .................................................................................................... 1\n\nRESULTS OF REVIEW.......................................................................................... 5\n\nSelection Phase...................................................................................................... 5\n\nControl Phase......................................................................................................... 7\n\n    \xef\xbf\xbd    Integration.................................................................................................... 8\n\n    \xef\xbf\xbd    IT Project Accountability System ................................................................. 9\n\n    \xef\xbf\xbd    More Information for Monitoring Performance ........................................... 11\n\nEvaluation Phase.................................................................................................. 12\n\n\nCONCLUSIONS AND RECOMMENDATIONS .................................................... 14\n\n\nAPPENDICES\n\n\nAPPENDIX A \xe2\x80\x93 Excerpts from the Clinger-Cohen Act\n\n\nAPPENDIX B \xe2\x80\x93 The Federal Chief Information Officer\xe2\x80\x99s Council\n\n\nAPPENDIX C \xe2\x80\x93 Information Technology Investment Portfolio System\n\n\nAPPENDIX D \xe2\x80\x93 Projects with High-Risk Ranking\n\n\nAPPENDIX E \xe2\x80\x93 External and Internal Project Costs\n\n\nAPPENDIX F \xe2\x80\x93 Agency Comments\n\n\nAPPENDIX G \xe2\x80\x93 OIG Contacts and Staff Acknowledgments\n\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)\n\x0c                                                                   Acronyms\n\n BCP               Budget Call Process\n\n BEP               Budget Execution Process\n\n BER               Budget Execution Report\n\n CBA               Cost Benefit Analysis\n\n CCA               Clinger-Cohen Act\n\n CIO               Chief Information Officer\n\n DSS               Decision Support Software\n\n GAO               General Accounting Office\n\n GPRA              Government Performance and Results Act\n\n FY                Fiscal Year\n\n IRM               Information Resource Management\n\n IT                Information Technology\n\n ITS               Information Technology Systems\n\n I-TIPS            Information Technology Investment Portfolio System\n\n ITSRS             Information Technology Systems Review Staff\n\n IWS/LAN           Intelligent Work Station/ Local Area Network\n\n MCAS              Managerial Cost Accountability System\n\n OFAM              Office of Finance, Assessment and Management\n\n OSPI              Office of Systems Planning and Integration\n\n PIR               Post-Implementation Review\n\n RIBS              Resources and Integration Budget System\n\n RIMS              Risk Identification and Mitigation System\n\n SSA               Social Security Administration\n\n VISOR             Vital Signs and Observations Report\n\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)\n\x0c                                                                   Introduction\n\nOBJECTIVE\nThe objective of this audit was to evaluate the Social Security Administration\xe2\x80\x99s (SSA)\nInformation Technology (IT) capital planning and investment control process for\ncompliance with the Clinger-Cohen Act of 1996 (CCA).\n\nBACKGROUND\nClinger-Cohen Act: The CCA4 promotes improvements in the use of IT to support\nagency missions and improves agency management processes for acquiring and\nmanaging IT investments. Agency responsibilities defined in CCA include: (1) capital\nplanning and investment control; (2) performance/results-based management and\nreporting requirements; (3) appointment of an agency Chief Information Officer (CIO);\nand (4) exception reports on major IT acquisitions that have significantly deviated from\ncost, performance, or scheduled goals (see Appendix A for example).\n\nGeneral Accounting Office issued guidance: In February 1997, the General\nAccounting Office (GAO) issued guidance5 for evaluating Federal agencies\xe2\x80\x99 IT\ninvestment decisionmaking for implementing CCA. The GAO guidance outlines the\nfollowing three-phase process for capital planning and IT investments (see Appendix B).\n\nSELECTION PHASE\n\nThe purpose of the Selection phase is for agency executives to create an optimal\nportfolio of IT initiatives through assessing risk and return, which will enable an agency\nto better prioritize current and proposed IT initiatives. Projects being proposed for\nfunding are initially screened to eliminate proposals that do not pass minimal\nacceptance criteria. Proposals that pass this screening process have their costs,\nbenefits, and risks analyzed in-depth. Once this is accomplished, all of the projects are\ncompared against some common decision criteria and ranked based on their relative\nbenefits, costs and risks. Using this prioritized list as a guide, agency executives decide\nwhich projects to fund.\n\nCONTROL PHASE\n\nDuring the Control phase, agency executives should be actively engaged in tracking all\nof the projects in the investment portfolio. For an agency to achieve maximum benefits\nfrom a project, while minimizing risks, the agency\xe2\x80\x99s tracking systems should be\nintegrated with a capital planning and investment control process. Agency executives\n4\n    The CCA has also been referred to as the Information Technology Reform Act of 1996\n5\n Assessing Risks and Returns: A Guide for Evaluating Federal Agencies\xe2\x80\x99 IT Investment Decision-making,\nGAO/AIMD-10.1.13, February 1997.\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                          1\n\x0cshould change a project\xe2\x80\x99s course when necessary and incorporate their lessons learned\nin the Selection phase to further refine and improve the process.\n\nEVALUATION PHASE\n\nThe Evaluation phase \xe2\x80\x9ccloses the loop\xe2\x80\x9d on the IT investment management process by\ncomparing actuals against estimates to assess performance and identify areas where\nfuture decisionmaking can be enhanced. Lessons learned during the evaluation phase\nshould be geared toward modifying future selection and control decisions. Central to\nthis process is the post-implementation review with its evaluation of the project\xe2\x80\x99s\nhistorical record.\n\n\n\n     S E L E C T IO N                  CO NTRO L                    E V A L U A T IO N\n         PHASE                          PHASE                            PHASE\n\n\n\n                                     LESSO NS LEARNED\n\n\nSSA\xe2\x80\x99s Capital Planning and IT Management Control Process\n\nIt should be noted that, before CCA was implemented, many of the key CCA IT\nmanagement reforms had already been in place at SSA for many years. For example,\nSSA\xe2\x80\x99s Systems Review Board was established in 1987 and chaired by SSA\xe2\x80\x99s Chief\nFinancial Officer to provide independent oversight of major IT investments.\n\nIn response to CCA, SSA streamlined the IT management process by establishing the\nCIO position and placing it with the Principal Deputy Commissioner.6 Also, SSA\ntransformed the Systems Review Board into the CIO Core Team, which is composed of\nstaff from key SSA components involved with IT investments and Information Resource\nManagement (IRM) issues. SSA established a larger CIO Advisory Council composed\nof Executive Staff members to ensure Agencywide awareness of, and involvement in,\nIT/IRM issues.\n\nSSA\xe2\x80\x99s IT capital planning and investment review process starts with the Office of\nStrategic Management working with the CIO Core Team and the larger Executive Staff\nto develop the Agency\xe2\x80\x99s Strategic and Business Plans and define the key initiatives\nrequired for implementation. SSA components develop resource plans for these key\ninitiatives and identify the resources required for their implementation.\n\n\n\n\n6\n Effective October 5, 2000, the CIO position has changed and is now within the Office of the Deputy\nCommissioner for Social Security.\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                             2\n\x0cThe components\xe2\x80\x99 resource request plans are updated annually through SSA\xe2\x80\x99s Budget\nCall Process (BCP). The BCP starts with the Office of Systems issuing instructions and\nguidelines for developing and submitting of resource requests for SSA\xe2\x80\x99s IT budget.\nOnce the Office of Systems receives the component resource plans, it reviews and\nconsolidates components requests, determines whether proposed IT investments\ncomply with SSA\xe2\x80\x99s IT architecture, and formulates the final IT budget submission. The\nDeputy Commissioner for Systems submits a prioritized proposed IT budget and project\njustifications to the Office of Finance, Assessment and Management (OFAM).\n\nThe Information Technology Systems Review Staff (ITSRS), a component of OFAM,\nindependently analyzes and evaluates the proposed IT budget and provides its\nrecommendations to the CIO. Once the CIO approves the proposed IT initiative, ITSRS\ntracks the IT investment through the annual Budget Execution Process (BEP). The\nBEP consists of ITSRS\xe2\x80\x99 monitoring the project to ensure IT funding does not exceed the\nannual approved budgeted amount. When requested funding exceeds the annual\nbudgeted amount, ITSRS makes recommendations to the CIO. The CIO must approve\nall funding increases that are $100,000 over the annual budgeted amount.\n\nSCOPE AND METHODOLOGY\nThe objective of this review was to evaluate SSA\xe2\x80\x99s IT capital planning and investment\nreview process for compliance with the CCA of 1996. To accomplish our objective, we:\n\n\xef\xbf\xbd\t Obtained and reviewed previous Office of the Inspector General and GAO audit\n   reports.\n\n\xef\xbf\xbd\t Reviewed applicable laws and guidelines. For example, the CCA; Office of\n   Management and Budget Circulars A-94, Guidelines and Discount Rates for Benefit-\n   Cost Analysis of Federal Programs, and A-11, Preparation and Submission of\n   Budget Estimates (Exhibits 42, 300A, and 300B); and the Statement of Federal\n   Financial Standards Number 10.\n\n\xef\xbf\xbd\t Reviewed critical documents, for example, Cost Benefit Analysis (CBA) Instructions,\n   Strategic Planning Process, Information Technology Systems (ITS) BCP, and the\n   Information Technology Investment Portfolio System (I-TIPS) (see Appendix C) and\n   other documents.\n\n\xef\xbf\xbd   Interviewed pertinent SSA Headquarters staff within OFAM and Systems.\n\n\xef\xbf\xbd\t Conducted phone interviews with staff from the Departments of Labor, Housing and\n   Urban Development, and Treasury as well as the General Services and Small\n   Business Administrations.\n\n\xef\xbf\xbd\t Reviewed seven IT projects through SSA\xe2\x80\x99s IT capital planning and investment\n   control process and evaluated the results. We selected the projects from SSA\xe2\x80\x99s\n   February 9, 1999, key initiative schedule. The schedule had three different priority\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                 3\n\x0c   levels, with level I having the highest priority. We selected four projects from level I,\n   two projects from level II and one project from level III.\n\n\xef\xbf\xbd\t Performed other analysis in support of our conclusions for example, SSA\xe2\x80\x99s 5-Year\n   Systems Plan for missing return on investment information, etc.\n\nWe conducted our fieldwork at SSA Headquarters in Baltimore, Maryland, from\nJanuary 1999 through March 2000. We conducted this audit in accordance with\ngenerally accepted government auditing standards. The entities audited were ITSRS\nwithin the OFAM and the Office of Systems Planning and Integration (OSPI) within the\nOffice of the Deputy Commissioner for Systems.\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                      4\n\x0c                                            Results of Review\n\nThe results of our testing of SSA\xe2\x80\x99s IT Capital Planning and Investment Control Process\nand interviews with SSA personnel have identified several improvements SSA needs to\nconsider regarding it\xe2\x80\x99s implementation of CCA. Overall, SSA\xe2\x80\x99s IT capital planning and\ninvestment process, does not fully support a capital planning and investment control\nprocess as envisioned by GAO and the Federal CIO Council for compliance with CCA.\nImprovements are needed in the Selection, Control, and Evaluation phases of the GAO\nmodel and the Federal CIO Council\xe2\x80\x99s recommended IT capital planning and investment\ncontrol process. Using the GAO model, we have outlined our findings by phase.\n\nSELECTION PHASE\n\nSections 5122(a), 5122(b)(3), and 5122(b)(5) of the CCA require proposed IT projects\nbe ranked for risk and return. However, SSA\xe2\x80\x99s Strategic Planning Process does not\nrequire an assessment of risk and return for proposed IT projects. Also, SSA had not\nestablished a documented process (risk modeling) for ranking (a numerical subjective\nranking) its IT projects for risk and return. Categories of risk and return would include:\n(1) technical risk; (2) scheduling risk; (3) benefit-cost impact (low return on investment);\nand (4) quality of cost estimates. Finally, SSA was not using any decision support\nsoftware (DSS) to assist in its decisionmaking process.\n\nIT projects with high risks are attributable to: (1) scope and requirements not being well\ndefined; (2) benefits not being clearly identified; and (3) soft cost estimates that could\nresult in significant exposure to additional cost and implementation delays. Based on\nour analysis of the seven IT projects, we identified three projects that we believe should\nhave been classified as high-risk because of their complexity.\n\nAppendix D shows the risk ranking for three projects we rated overall as being very\nrisky (high-risk) projects.\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                      5\n\x0c                  Chart 1\xe2\x80\x94Seven IT Projects Reviewed\n\n\n  Project\n Special       Resource        Overall\n Expense      Accounting        Rated\n   Item         System          Risky\n Number         Number         Projects                     Project Name\n    567          2611            Yes        Expanded Electronic Wage Reporting System\n    145           7871                      Financial Accounting Tracking Systems\n    702           2590                      Management Information for Intelligent Work\n                                            Station/Local Area Network (IWS/LAN)\n    704           6412                      Policy Net/Policy Repository\n    740           5022                      Video Teleconferencing Service\n    529           6863            Yes       Integrated Human Resources System\n  Various       Various           Yes       Re-engineering Disability System\n\n\nBecause these three projects started before CCA\xe2\x80\x99s August 1996 effective date, SSA\nwas not required to perform risk assessments. However, if SSA had performed risk\nassessments, it may have identified these projects as high-risk. This may have caused\nthe Agency to re-evaluate the selection and investment made in these systems until the\nrelated risk became more manageable and returns were better quantified. In addition,\nwe believe SSA would have been better able to anticipate the increased cost and\nproject time delays these three projects experienced.\n\nSSA informed us it did not perform a ranking and risk assessment because the\nassessment would have been subjective, and the Agency did not see much value in\ndoing it. SSA also did not know who in the Agency would perform the assessment.\nSSA further added that because it usually does a pilot first, it is in effect performing a\nranking and risk assessment to identify and minimize risk by determining whether it is\ncost-beneficial to implement the IT project. However, based on our review of SSA\xe2\x80\x99s IT\nprojects, once pilot money has been spent, SSA has traditionally continued to spend\nmoney until the project is implemented. We could not find a project that had been\nterminated after the pilot within the last 3 years. Project sponsors and managers have\nviewed pilot funding as approval for implementation.\n\nWe conducted a meeting with SSA on November 15, 1999 to discuss our findings. At\nthat meeting, SSA stated it was implementing a Risk Identification and Mitigation\nSystem (RIMS) it believed would provide an adequate assessment of risk. We\nreviewed RIMS guidelines, procedures and its placement in SSA\xe2\x80\x99s overall IT planning\nand investment control process and concluded RIMS is not the solution. RIMS is\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                    6\n\x0cintended to be used by the project manager after SSA\xe2\x80\x99s senior management has\napproved the project for development. Also, RIMS does not specifically prompt project\nmanagers to assess risk in the following categories: software, hardware, technology,\ncost, schedule, benefits, and resources. If SSA were to use RIMS for risk modeling,\nRIMS would have to be modified to require project managers to assess risk for each\ncategory. Also, RIMS would have to be moved from the Control phase to the Selection\nphase (strategic planning process) so senior SSA managers can assess risk before a\nproposed IT project is approved and funds disbursed. SSA needs to develop risk-\nmodeling techniques in the Selection phase when making decisions about proposed IT\nprojects, as required by CCA.\n\nOther agencies we contacted4 were using DSS like \xe2\x80\x9cExpert Choice\xe2\x80\x9d to assist them in\nselecting the right portfolio of IT investments. Using DSS helps build consensus\nbecause decisionmakers have to assess each project\xe2\x80\x99s criteria, define parameters, and\nweigh judgments.\n\nCONTROL PHASE\n\nSection 5122(b)(2) of the CCA requires an integrated process (system) to support an\nagency\xe2\x80\x99s capital planning and investment control process. SSA\xe2\x80\x99s tracking systems\nwere not integrated to support a comprehensive capital planning and investment control\nprocess. The lack of systems integration is directly attributable to the following.\n\n\xef\xbf\xbd\t SSA had not captured all cost information for IT projects as required by section\n   5002(3)(B) of the CCA. SSA has not established an IT project accountability system\n   to obtain all cost information.\n\n\xef\xbf\xbd\t SSA had not continually monitored in-process reviews for performance, as required\n   under sections 5122(b)(6) and 5125(c)(2) of the CCA. SSA has not compared its\n   project cost and time expended in its projects to their expected amounts. Since SSA\n   does not perform these types of variance analysis, it cannot report exceptions, when\n   costs increase by 10 percent or when scheduled dates slip by 6 months.\n\n\n\n\n4\n    Department of the Treasury, United States Customs Service, General Services Administration.\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                         7\n\x0cIntegration\n\nChart 2 shows some of SSA\xe2\x80\x99s stand-alone tracking systems, their use, and the SSA\ncomponent responsible for this system.\n\n                          Chart 2\xe2\x80\x94Tracking Systems\n           System                             Use                       Component\n\n Executive Management           IT project planning, GPRA Office of Systems\n Information System             strategic planning, financial\n                                information, operational\n                                statistics, etc.\n Procurement Tracking           Monitoring status of IT\n System                         requisitions                    Office of Systems\n Intranet sites like Vital\n Signs and Observations         Monitoring status of some\n Report                         IT projects                     Office of Systems\n Resource Accounting            Reporting and analyzing\n System                         time against IT projects        Office of Systems\n                                Identifying commitments,\n Financial Accounting           obligations and\n System                         expenditures                    Office of Finance\n\nEach tracking system captures a portion of the overall data for IT project development.\nThese systems are not integrated. As a result of this fragmented approach, SSA\xe2\x80\x99s\nsystems do not support the capital planning and investment control process as\nenvisioned by GAO, and the CIO Council for CCA compliance.\n\nTo address the need for an integrated system, the Federal CIO Council has\nrecommended agencies consider using the federally funded software, I-TIPS (see\nAppendix C for details). I-TIPS provides a convenient, central repository (data base) for\nIT project-related information accessible through the Intranet. In March 1999, SSA\nevaluated the usefulness of I-TIPS. At that time, SSA did not recommend I-TIPS\nbecause it would neither replace SSA\xe2\x80\x99s systems nor provide automated links to retrieve\ndata from these systems. Therefore, I-TIPS would result in a significant data entry\nworkload. SSA further stated I-TIPS was designed to capture all costs associated with\na project, including in-house personal costs. SSA did not routinely capture total cost\ninformation for most of its major projects. Furthermore, I-TIPS requires benefits to be\nquantified and performance measures identified for major projects. SSA\xe2\x80\x99s strategic\nplanning guidance does not require this information to be provided for Agency key\ninitiatives, and not having this information limits the usefulness of I-TIPS for SSA.\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                 8\n\x0cSSA has acknowledged its tracking systems are not integrated to fully support a capital\nplanning and investment control process. However, SSA\xe2\x80\x99s position has been to take a\n\xe2\x80\x9cwait and see\xe2\x80\x9d attitude if other large Federal agencies have successfully implemented\nan integrated capital planning and investment control system. We believe SSA should\nre-evaluate this position now that other large agencies like the General Services\nAdministration, Department of Energy, and Department of Agriculture have successfully\nimplemented an integrated capital planning and investment control process using\nI-TIPS. I-TIPS would provide SSA the much-needed integration to support IT\ndecisionmaking. In addition, I-TIPS would require SSA to begin the discipline of\ncollecting the full range of information (total costs, quantified benefits, performance\nmeasures, etc.) on investments called for by CCA.\n\nIT Project Accountability System\n\nAbility needed to determine project cost to-date?\n\nFor each of the seven IT projects we reviewed, we asked SSA the cumulative amount it\nhad spent on the project to-date and how much more it planned to spend. SSA said this\ntype of information was not available in a single management information source and\nwould require SSA to look at several individual systems and retrieve several years\nworth of data to obtain the answer. To readily retrieve this information, SSA needs an\nIT project accountability system for capturing and storing various types of cost by year\n(that is, internal labor, training, travel, external purchases etc.). We believe not having\nthis type of financial information for each IT project has limited SSA\xe2\x80\x99s ability to monitor\nand evaluate performance via variance analysis and exception reporting.\n\nWe obtained information from various systems to determine the cumulative amount\nSSA had actually spent to-date for the seven projects we reviewed. We estimate SSA\nspent about $118.3 million with external costs of $77.3 million and internal costs of\n$41 million. Appendix E shows the external and internal costs and work years as of\nAugust 14, 1999, for each of the seven projects.\n\nThe Budget Execution Report (BER) only serves as documentation of CIO approval for\nexternal cost decisions in the Information Technology Systems (ITS) budget. We could\nnot find a similar approval document for internal costs. As a result, the CIO had not\napproved all IT investment cost, that is, internal cost. This would be about $41 million\n(35 percent of the total estimated project cost) for the seven IT projects in our review.\n\nITSRS asserted that, since the CIO was also the Principal Deputy Commissioner, the\nCIO had approval authority over all internal IT cost budget decisions. We agree the\nPrincipal Deputy Commissioner5 had the authority; however, we could not find\ndocumented evidence of CIO approval for internal IT cost budget decisions similar to\nthe BER. For example, if a project manager requests an additional $100,000 in\n\n5\n Effective October 5, 2000, the CIO position has changed and is now within the Office of the Deputy\nCommissioner for Social Security.\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                             9\n\x0ccontractor support (external cost) over the budgeted amount, the request would have to\ngo through ITSRS for review, and CIO approval would be documented in the BER.\nHowever, if the same project manager were able to get the support internally, there\nwould be no documented CIO approval for the transfer.\n\nAnother example of the importance of having a project accountability system that can\ncapture all internal costs for CIO review and approval involved the management\ninformation system for the IWS/LAN project (Special Expense Item 702). The IWS/LAN\nmanagement information project incurred internal costs five times greater than its\nexternal costs. Yet only the external costs were readily available for CIO review and\napproval.\n\nThe purpose of this project is to build the hardware/software infrastructure that will allow\nthe modernization of the management information environment and the integration of\nmanagement information data. The end-users, through their desktops, can query and\nanalyze Agencywide data organized by subject matter. As of August 14, 1999, the\nOffice of Systems\xe2\x80\x99 internal cost (about 85 percent of the total cost) was about\n$6.8 million for 97.1 workyears with external costs of only about $1.2 million. ITSRS\nhas not recommended any additional external funding (for the purchase of hardware\nand software) until the Office of Systems provides a CBA justification. While we agree\nwith ITSRS\xe2\x80\x99 position, the Office of Systems has already spent over $6 million in internal\nresources on this project. If SSA had a project accountability system, internal cost\ninformation would be available to help management analyze total cost information and\nmake informed decisions.\n\nOn November 15, 1999, we met with SSA to discuss our findings. SSA felt its proposed\nManagerial Cost Accountability System (MCAS) would address our concern about the\nlack of an IT project accountability system. We reviewed MCAS background, scope,\nfunctionality, and project status and concluded it will probably address SSA\xe2\x80\x99s need for\nan IT project accountability system. However, the implementation strategy for MCAS is\ncomplex and has four major parts. According to the latest status report, SSA has been\nconcentrating on the first major part, which is the renovation of the Cost Analysis\nSystem. For this System, SSA has completed two of the four scheduled releases. The\nlast 2 releases are scheduled for the second and third quarters of\nFiscal Year (FY) 2001. The other three major parts are still in the planning and analysis\nstage. Incorporating functionality for an IT project (cost) accountability system into\nMCAS is probably several years in the future.\n\nHow much will be spent in the future?\n\nWe could not obtain information on SSA\xe2\x80\x99s anticipated spending level for each of these\nIT projects or when these projects are expected to be completed because SSA does not\nknow. Historically, SSA has underestimated the final costs and target implementation\ndates of IT projects. We found part of the reason has been in the initial CBA\xe2\x80\x99s\ndocuments that justified the approval of the IT projects. The CBAs have historically\nbeen revised upward to reflect unanticipated cost by sponsors and project managers.\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                 10\n\x0cWe attribute the unanticipated cost to IT project scopes and functionality not being well\ndefined. Also, SSA has not held sponsors and project managers accountable for poor\ncost estimates.\n\nSSA accepts the underestimated CBA cost practice because benefits have to be\nrevised through new CBAs to justify the higher cost. We found that benefit methodology\nassumptions usually can be changed to justify the additional cost. For example, an\ninternal communication on the Integrated Human Resource System suggests SSA may\nneed to extend the system\xe2\x80\x99s life so additional benefits can be added to compensate for\namount of the system\xe2\x80\x99s delay or cost overrun.\n\nMore Information for Monitoring Performance\n\nSSA has not continually monitored in-process reviews for performance. One reason\nhas been a general lack of target indicators. Specifically, we found the following\nperformance monitoring information was missing.\n\n\xef\xbf\xbd\t None of the six IT projects we reviewed contained an ITSRS analysis concerning\n   milestone dates with specific deliverables.\n\n\xef\xbf\xbd\t Of the seven proposed key IT initiatives presented at the Executive Planning Board\n   Meeting on February 9, 1999, none had a quantified benefit. Only one had an\n   estimated cost.\n\n\xef\xbf\xbd\t For SSA\xe2\x80\x99s July 12, 1999 5-Year Systems Plan, 268 (about 80.7 percent) of the\n   332 line item tasks scheduled for completion by the end of FY 2000 had no return-\n   on-investment information. Even the Deputy Commissioner for Systems in a\n   February 26, 1999, memorandum to the Deputy Commissioners raised the question\n   whether SSA should continue to work on the items in the 5-Year Systems Plan with\n   no return-on-investment.\n\nFor the seven (multi-year) projects we reviewed, SSA had not performed cost and\nscheduling variance analyses from the start of the project . We noted, however, that\nSSA was performing cost variance analyses on selected IT projects for current year\nactivity only (see discussion below). Variance analysis compares estimates with\nactuals. Gaps or differences should be analyzed and explanations documented. In\nconnection with variance analyses, SSA has not performed any exception reporting, for\nexample, costs increased by 10 percent or a schedule slipped by 6 months.\n\nSSA responded it is difficult to analyze variances in cost or schedules because the\nexpected total IT project cost (base period) and implementation schedule keep\nchanging through revised CBAs during the life of the IT project. This is why SSA should\nmonitor its cost and schedule variances. Lessons learned from variance analyses\nshould be built into the criteria for the Selection and Control phases to improve the IT\nplanning and investment control process. SSA, however, believes it is continually\nmonitoring performance and cites the investment review process, and various\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)               11\n\x0cmanagement information reports on SSA\xe2\x80\x99s Intranet site, such as the Vital Signs and\nObservations Report (VISOR)6, and the Resources and Integration Budget System\n(RIBS), as tools for monitoring performance. While we agree these are important tools,\nthey are not always timely or do not provide information about the total performance\nfrom the start of the project to-date.\n\nFrom our review of ITSRS\xe2\x80\x99 analysis, we do not believe ITSRS asks to see deliverables\nor milestone dates unless the sponsor and project manager have requested more\nmoney than planned and there is a cost overrun for the project. An investment review is\nonly triggered when there actually is a cost overrun problem. We could not find where\nan investment review had been triggered for other reasons, such as the user not getting\nthe expected functionality (performance) or significant delays in the expected\nimplementation. SSA should be continually monitoring a project\xe2\x80\x99s performance and not\nwait until a cost overrun occurs.\n\nFinally, we would like to recognize SSA\xe2\x80\x99s efforts in reporting cost variance information\nunder RIBS. This is a good start but SSA needs to go further. Variance information is\nonly available for current year activity (current budget to actual) and needs to be\nexpanded to include prior year\xe2\x80\x99s variances to show total variance on the project to-date.\nAlso, RIBS is only available for those IT projects that have been identified by SSA as\nhaving the highest priority. We reviewed the Agency\xe2\x80\x99s 30 highest priority projects for\nthe week ending May 29, 1999. Our analysis indicated critical information missing for\nsavings and workyear estimates:\n\n\xef\xbf\xbd     4 projects were missing estimated workyears,\n\n\xef\xbf\xbd     21 projects were missing savings information, and\n\n\xef\xbf\xbd     4 projects had significantly inaccurate workyear estimates.\n\nThe second point and probably the most significant, is the Agency\xe2\x80\x99s highest priority\nprojects only accounted for 658 (about 39 percent) of the 1,672 workyears available in\nFY 1998 by the Office of Systems to work on IT projects. Therefore, more than\n60 percent of the workyears in FY 1998 were not controlled for cost information such as\na variance analysis.\n\nEVALUATION PHASE\n\nPerforming post-implementation reviews is a requirement under sections 5122(b)(1) and\n5125(c)(2) of the CCA. SSA has not established a post-implementation review process\n(policies and procedures) nor has it targeted any IT projects for post-implementation\nreview except the review of the IWS/LANs project requested by Congress. More\nimportantly, SSA has missed an opportunity to provide feed back to improve its\ninvestment management process. Valuable lessons learned could be incorporated into\n\n\n6\n    VISOR is a management advisory report being maintained by the OSPI.\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)              12\n\x0cthe Selection and Control phases to help minimize risk and maximize benefits on future\nIT projects.\n\nSpecifically, lessons learned for why SSA has often historically under-estimated total IT\ncost should be built back into the selection criteria to help ensure greater\nimplementation success of future projects. This was evidenced by the cost over-runs\nfor the Electronic Wage Reporting and Integrated Human Resources Systems. Also,\nSSA should determine why projects, such as the Re-engineered Disability System, had\nto be redirected, costing SSA about $35 million.\n\nITSRS has acknowledged its responsibility for performing post-implementation reviews.\nITSRS, however, has not been able to obtain the staff necessary to perform this\nfunction because of budget constraints.\n\nITSRS further stated that through SSA\xe2\x80\x99s Target Investment Review Process, it felt the\nAgency had a post-implementation review (PIR) process established. Using GAO\ncriteria, we evaluated SSA\xe2\x80\x99s one-half page of broad guidelines. The following lists\nsome of the GAO questions we used to determine whether SSA had an established PIR\nprocess.\n\n1. Does SSA have a defined, documented process for conducting PIRs of IT projects?\n\n   \xef\xbf\xbd   Is the purpose of the PIR process clearly explained and communicated?\n\n   \xef\xbf\xbd\t Is the process clear about when PIRs are to be conducted? Are regular PIRs\n      required to ensure completed projects are reviewed in a timely manner?\n\n   \xef\xbf\xbd\t Does the process delineate roles, responsibilities, and authorities for people and\n      offices involved in conducting the PIRs?\n\n   \xef\xbf\xbd\t Does the process stipulate how conclusions and recommendations resulting from\n      PIRs are to be communicated to and reviewed by senior management?\n\n2. \t Does SSA have a standardized methodology for conducting PIRs? At a minimum, is\n     there an assessment of customer satisfaction, mission/programmatic impact, and\n     technical/capability?\n\n3. \t What steps does SSA require to ensure PIRs are conducted independently and\n     objectively? Are the results of the PIRs validated or verified?\n\nWe could not answer yes to any of these questions and therefore concluded that\none-half page of broad SSA guidelines was not sufficient to be considered as having\nestablished PIR policies and procedures.\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)              13\n\x0c                                        Conclusions and\n                                               Recommendations\nSSA recognizes the need to improve its IT capital planning and investment control\nprocess for compliance with the CCA. Some steps SSA has taken include:\n\n\xef\xbf\xbd\t approving through SSA\xe2\x80\x99s Strategic Planning Process proposed IT projects for\n   strategic fit against the Agency\xe2\x80\x99s mission and goals;\n\n\xef\xbf\xbd\t establishing a CIO to foster Agencywide awareness of, and involvement in, IT\n   issues; and\n\n\xef\xbf\xbd\t requiring through SSA\xe2\x80\x99s BCP, that major IT projects be grouped into smaller more\n   manageable project phases like prototyping, piloting, limited implementation before\n   full SSA implementation.\n\nHowever, results of our testing of SSA\xe2\x80\x99s IT capital planning and investment control\nprocess and interviews with SSA personnel have identified several improvements SSA\nneeds to consider regarding it\xe2\x80\x99s implementation of CCA. We found overall, SSA\xe2\x80\x99s IT\ncapital planning and investment process does not fully support GAO\xe2\x80\x99s vision and the\nFederal CIO Council for compliance with CCA. Improvements are needed in the\nSelection, Control, and Evaluation phases of the GAO model and the Federal CIO\nCouncil\xe2\x80\x99s recommended IT capital planning and investment control process.\n\nFirst, SSA needs to rank, select, and develop its IT projects based on a formal\nmethodology, that considers risk and return. SSA has no such methodology and, as a\nresult, was not able to effectively anticipate the increased costs and project time delays\nit encountered in all three high-risk projects we reviewed. Because these three projects\nbegan before CCA became effective, SSA was not required to complete a formal risk\nassessment. However, good business practice and the subsequent passage of CCA\ncall for the use of a formal risk assessment.\n\nIn our November 15, 1999, meeting with SSA to discuss our findings, SSA stated it was\nimplementing RIMS and believed RIMS would provide SSA with an adequate\nassessment of risk. Our review found RIMS is not the solution. RIMS is designed to be\nused by the project manager in the Control phase after the project has already been\napproved for funding. CCA and good business practice call for a risk assessment to be\ndone before a project is approved for funding. Also, SSA should begin evaluating the\nuse of DSS to assist the Agency in the selection of proposed IT projects. This would\nresult in SSA putting more structure into its decision selection process.\n\nSecond, SSA should begin planning for an overall integration of its tracking systems into\na comprehensive IT capital planning and investment control process. SSA\xe2\x80\x99s\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)               14\n\x0cmanagement information systems, critical for planning, capturing cost and tracking\nprogress of its systems development efforts, are incomplete and fragmented throughout\nits components. As a result, SSA\xe2\x80\x99s management responsible for approving and\nmonitoring the development of its systems is not being provided comprehensive and\ncomplete information on which to base its decisions. This type of integrated system is a\nrequirement under section 5122(b)(2) of the CCA. SSA, through the I-TIPS software,\ncould effectively develop a comprehensive IT capital planning and investment control\nprocess like other agencies.\n\nSSA\xe2\x80\x99s lack of systems integration has also contributed to other conditions the Agency\nneeds to consider. Specifically, SSA has not established an IT project accountability\nsystem for capturing and analyzing all costs associated with an IT project. Also, SSA\nshould be requesting more management information to perform variance analysis and\nexception reporting as ways to improve its ability to monitor IT projects. In a meeting\nwith SSA on November 15, 1999, SSA believed its planned MCAS would address our\nconcern of an IT project accountability system. We agree; however, incorporating an IT\nproject accountability system into MCAS is several years in the future.\n\nThird, SSA needs to develop policies and procedures for post-implementation reviews\nand become more proactive by targeting several completed IT projects for review. PIRs\nreviews are a requirement under sections 5122(b)(1) and 5125(c)(2) of the CCA.\nITSRS recognizes its responsibility to perform these reviews; however, because of\nbudget constraints has not been able to obtain the staff necessary to perform this\nfunction.\n\nWe recommend SSA:\n\nFinding 1- Selection Phase\n\n1. \t Develop a risk model and use it in the strategic planning process for all proposed IT\n     projects. Selection criteria should include weighing risk for cost, benefits, schedule,\n     technical, etc.\n\n2. \t Evaluate using DSS tools like Expert Choice to further assist SSA in its selection of\n     IT projects. Expert Choice allows the user to take the intangibles of decisionmaking\n     (experience, insight, and judgment) and weigh them against a customized set of\n     criteria.\n\nFinding 2 \xe2\x80\x93 Control Phase\n\n3. \t Redesign SSA\xe2\x80\x99s Capital Planning and Investment Control Process to incorporate the\n     processes for making budget, financial and program management decisions within\n     the Agency into one integrated system. SSA could implement this recommendation\n     through the use of the I-TIPS software (see Appendix C).\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                  15\n\x0c4. \t Design and implement an IT project accountability system that; (a) captures all\n     funds spent with budgeted cost; (b) allows expanded scheduling information like\n     expected versus actual implementation date, including milestone dates; and (c)\n     includes performance indicators like return on investment or any other benefit\n     measures.\n\n5. \t Require benefits to be quantified and performance measures to be identified for\n     major projects in SSA\xe2\x80\x99s strategic planning guidance.\n\n6. \t Request management information on the financial accounting of each project (spent\n     to-date and the amount remaining to be spent), milestones, and expected\n     implementation date.\n\n7. \t Perform variance analysis and exception reporting on cost and scheduling time\n     frames.\n\nFinding 3 \xe2\x80\x93 Evaluation Phase\n\n8. Establish policies and procedures for conducting post-implementation reviews.\n\n9. Perform post-implementation reviews on appropriate IT projects.\n\n\nAGENCY COMMENTS\nIn response to our draft report, SSA generally agreed to explore and/or assess our\nrecommendations. Specifically, SSA plans to explore more systematic risk modeling\nprocedures for proposed IT projects by:\n\n   \xef\xbf\xbd   evaluating decision support software like Expert Choice;\n\n   \xef\xbf\xbd\t re-examining I-TIPS as a tool to collect, analyze and report IT project\n      accountability information;\n\n   \xef\xbf\xbd\t establishing more detailed polices and procedures for conducting post-\n      implementation reviews in 2001; and\n\n   \xef\xbf\xbd\t performing post-implementation reviews on appropriate IT projects. (See\n      Appendix F for SSA\xe2\x80\x99s comments.)\n\nHowever, in its response to recommendation 1, SSA stated OIG\xe2\x80\x99s conclusion that the\nAgency did not recognize the risks associated with three of its projects is incorrect.\nSSA believes that while a formal risk assessment was not done for these projects, the\nAgency was aware of the risk involved, and it considered these risks in its discussions\nand decision making.\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                 16\n\x0cOFFICE OF THE INSPECTOR GENERAL RESPONSE\nWe disagree with SSA\xe2\x80\x99s implication that it took sufficient steps assessing the risks for\nthe three projects. We also take issue that the Agency was aware of the risks involved,\nand considered these risks in its discussions and decision making.\n\nThe OIG believes that a risk assessment at the beginning of these projects, as now\nrequired under CCA, would have helped SSA to better understand the risks of each\nproject before the Agency had committed significant resources. Understanding the risks\nwould also have enabled the Agency to better assess the projects\xe2\x80\x99 scope and\nfunctionality.\n\nIt is not enough that certain individuals may have been informally aware of some risks\nas these projects progressed. For example, the incremental investment reviews\nrequested by the CIO were initiated several years after the projects\xe2\x80\x99 implementation and\nby then the projects were already significantly over budgeted. Furthermore, once the\nAgency makes a decision to proceed with the projects, the risks involved need to be\nformally disseminated among appropriate management and project team members.\nManagement and project members can then take steps necessary to deal with and\nminimize the risks associated with each project.\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)             17\n\x0c                                       Appendices\n\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)\n\x0c                                                                            Appendix A\n\nExcerpts from the Clinger-Cohen Act\nSEC. 5002. DEFINITIONS\n\nIn this division:\n    (1) DIRECTOR\xef\xa3\xa7The term "Director\'\' means the Director of the Office of\nManagement and Budget.\n    (2) EXECUTIVE AGENCY\xef\xa3\xa7The term "executive agency\'\' has the meaning given\nthat term in section 4(1) of the Office of Federal Procurement Policy Act (41 U.S.C.\n403(1)).\n    (3) INFORMATION TECHNOLOGY\xe2\x80\x94(A) The term "information technology (IT)\'\',\nwith respect to an executive agency means any equipment or interconnected system or\nsubsystem of equipment, that is used in the automatic acquisition, storage,\nmanipulation, management, movement, control, display, switching, interchange,\ntransmission, or reception of data or information by the executive agency. For purposes\nof the preceding sentence, equipment is used by an executive agency if the equipment\nis used by the executive agency directly or is used by a contractor under a contract with\nthe executive agency which (i) requires the use of such equipment, or (ii) requires the\nuse, to a significant extent, of such equipment in the performance of a service or the\nfurnishing of a product.\n        (B) The term "IT\'\' includes computers, ancillary equipment, software, firmware\nand similar procedures, services (including support services), and related resources.\n        (C) Notwithstanding subparagraphs (A) and (B), the term "IT\'\' does not include\nany equipment that is acquired by a Federal contractor incidental to a Federal contract.\n    (4) INFORMATION RESOURCES\xef\xa3\xa7The term "information resources\'\' has the\nmeaning given such term in section 3502(6) of title 44, United States Code.\n    (5) INFORMATION RESOURCES MANAGEMENT\xef\xa3\xa7The term "information\nresources management\'\' has the meaning given such term in section 3502(7) of title 44,\nUnited States Code\n    (6) INFORMATION SYSTEM\xef\xa3\xa7The term "information system\'\' has the meaning\ngiven such term in section 3502(8) of title 44, United States Code.\n    (7) COMMERCIAL ITEM\xef\xa3\xa7The term "commercial item\'\' has the meaning given that\nterm in section 4(12) of the Office of Federal Procurement Policy Act (41 U.S.C.\n403(12)).\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)             A-1\n\x0cSEC. 5122. CAPITAL PLANNING AND INVESTMENT CONTROL\n\n    (a) DESIGN OF PROCESS\xef\xa3\xa7In fulfilling the responsibilities assigned under section\n3506(h) of title 44, United States Code, the head of each executive agency shall design\nand implement in the executive agency a process for maximizing the value and\nassessing and managing the risks of the information technology acquisitions of the\nexecutive agency.\n    (b) CONTENT OF PROCESS\xef\xa3\xa7The process of an executive agency shall\xe2\x80\x94\n       (1) provide for the selection of information technology investments to be made\nby the executive agency, the management of such investments, and the evaluation of\nthe results of such investments;\n       (2) be integrated with the processes for making budget, financial, and program\nmanagement decisions within the executive agency;\n       (3) include minimum criteria to be applied in considering\nwhether to undertake a particular investment in information systems, including criteria\nrelated to the quantitatively expressed projected net, risk-adjusted return on investment\nand specific quantitative and qualitative criteria for comparing and prioritizing alternative\ninformation systems investment projects;\n       (4) provide for identifying information systems investments that would result in\nshared benefits or costs for other Federal agencies or State or local governments;\n       (5) provide for identifying for a proposed investment quantifiable measurements\nfor determining the net benefits and risks of the investment; and\n       (6) provide the means for senior management personnel of the executive\nagency to obtain timely information regarding the progress of an investment in an\ninformation system, including a system of milestones for measuring progress, on an\nindependently verifiable basis, in terms of cost, capability of the system to meet\nspecified requirements, timeliness, and quality.\n\nSEC. 5125. AGENCY CHIEF INFORMATION OFFICER\n\n     (a) DESIGNATION OF CHIEF INFORMATION OFFICERS (CIO)\xe2\x80\x94Section 3506 of\ntitle 44, United States Code, is amended\xe2\x80\x94\n        (1) in subsection (a)\n           (A) in paragraph (2)(A), by striking out "senior official\'\' and inserting in lieu\n               thereof "CIO\'\';\n           (B) in paragraph (2)(B)\xe2\x80\x94\n                (i) by striking out "senior officials\'\' in the first sentence and inserting in\n            lieu thereof "CIO\'\';\n                (ii) by striking out "official\'\' in the second sentence and inserting in lieu\n            thereof "CIO\'\'; and\n                (iii) by striking out "officials\'\' in the second sentence and inserting in lieu\n            thereof "CIO\'\'; and\n           (C) in paragraphs (3) and (4), by striking out "senior official\'\' each place it\n               appears and inserting in lieu thereof "CIO\'\'; and\n        (2) in subsection (c)(1), by striking out "official\'\' in the matter preceding\nsubparagraph (A) and inserting in lieu thereof "CIO\'\'.\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                    A-2\n\x0c    (b) GENERAL RESPONSIBILITIES\xef\xa3\xa7The CIO of an executive agency shall be\nresponsible for\xe2\x80\x94\n        (1) providing advice and other assistance to the head of the executive agency\nand other senior management personnel of the executive agency to ensure that\ninformation technology (IT) is acquired and information resources are managed for the\nexecutive agency in a manner that implements the policies and procedures of this\ndivision, consistent with chapter 35 of title 44, United States Code, and the priorities\nestablished by the head of the executive agency;\n        (2) developing, maintaining, and facilitating the implementation of a sound and\nintegrated IT architecture for the executive agency; and\n        (3) promoting the effective and efficient design and operation of all major\ninformation resources management processes for the executive agency, including\nimprovements to work processes of the executive agency.\n    (c) DUTIES AND QUALIFICATIONS\xe2\x80\x94The CIO of an agency that is listed in\nsection 901(b) of title 31, United States Code, shall\xe2\x80\x94\n        (1) have information resources management duties as that official\'s primary\n            duty;\n        (2) monitor the performance of IT programs of the agency, evaluate the\nperformance of those programs on the basis of the applicable performance\nmeasurements, and advise the head of the agency regarding whether to continue,\nmodify, or terminate a program or project; and\n        (3) annually, as part of the strategic planning and performance evaluation\nprocess required (subject to section 1117 of title 31, United States Code) under section\n306 of title 5, United States Code, and sections 1105(a)(29), 1115, 1116, 1117, and\n9703 of title 31, United States Code\xe2\x80\x94\n                (A) assess the requirements established for agency personnel regarding\n        knowledge and skill in information resources management and the adequacy of\n        such requirements for facilitating the achievement of the performance goals\n        established for information resources management;\n                (B) assess the extent to which the positions and personnel at the\n        executive level of the agency and the positions and personnel at management\n        level of the agency below the executive level meet those requirements;\n                (C) in order to rectify any deficiency in meeting those requirements,\n        develop strategies and specific plans for hiring, training, and professional\n        development; and\n                (D) report to the head of the agency on the progress made in improving\n        information resources management capability.\n    (d) INFORMATION TECHNOLOGY ARCHITECTURE DEFINED\xef\xa3\xa7In this section,\nthe term "information technology architecture\'\', with respect to an executive agency,\nmeans an integrated framework for evolving or maintaining existing IT and acquiring\nnew IT to achieve the agency\'s strategic goals and information resources management\ngoals.\n    (e) EXECUTIVE LEVEL IV\xe2\x80\x94Section 5315 of title 5, United States Code, is\namended by adding at the end the following:\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)             A-3\n\x0c            "Chief Information Officer, Department of Agriculture.\n            "Chief Information Officer, Department of Commerce.\n            "Chief Information Officer, Department of Defense (unless the official\n   designated as the Chief Information Officer of the Department of Defense is an\n   official listed under section 5312, 5313, or 5314 of this title).\n            "Chief Information Officer, Department of Education.\n            "Chief Information Officer, Department of Energy.\n            "Chief Information Officer, Department of Health and Human Services.\n            "Chief Information Officer, Department of Housing and Urban Development.\n            "Chief Information Officer, Department of Interior.\n            "Chief Information Officer, Department of Justice.\n            "Chief Information Officer, Department of Labor.\n            "Chief Information Officer, Department of State.\n            "Chief Information Officer, Department of Transportation.\n            "Chief Information Officer, Department of Treasury.\n            "Chief Information Officer, Department of Veterans Affairs.\n            "Chief Information Officer, Environmental Protection Agency.\n            "Chief Information Officer, National Aeronautics and Space Administration.\n            "Chief Information Officer, Agency for International Development.\n            "Chief Information Officer, Federal Emergency Management Agency.\n            "Chief Information Officer, General Services Administration.\n            "Chief Information Officer, National Science Foundation.\n            "Chief Information Officer, Nuclear Regulatory Agency.\n            "Chief Information Officer, Office of Personnel Management.\n            "Chief Information Officer, Small Business Administration.\'\'\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)            A-4\n\x0c                                                                            Appendix B\n\nThe Federal Chief Information Officer\xe2\x80\x99s Council\nThe Federal Chief Information Officer\xe2\x80\x99s (CIO) Council has endorsed the General\nAccounting Office\xe2\x80\x99s guidance as \xe2\x80\x9cbest practices\xe2\x80\x9d for implementing the Clinger-Cohen\nAct of 1996. The Federal CIO Council was established under Executive Order 13011,\nFederal Information Technology. The Council serves as the principal interagency forum\nfor executive agency CIOs to:\n\n\xef\xbf\xbd\t develop recommendations for overall Federal information technology management\n   policy, procedures, and standards;\n\n\xef\xbf\xbd\t share experiences, ideas, and promising practices, including work process redesign\n   and the development of performance measures, to improve the management of\n   information resources; and\n\n\xef\xbf\xbd\t identify opportunities, make recommendations for, and sponsor cooperation in using\n   information resources.\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)\n\x0c                                                                             Appendix C\n\nInformation Technology Investment Portfolio\nSystem\nThe Information Technology Investment Portfolio System (I-TIPS) is a Government\nowned innovative web-based decision support and project management tool for\nmanaging and tracking information technology (IT) investments. The Federal Chief\nInformation Officer Council has recommended I-TIPS for agency heads to manage\nthere IT investments in accordance with the Clinger-Cohen Act of 1996. The software\nassists managers and staff involved in IT planning to assess IT initiatives in terms of\ncost, risk, and expected returns, and to determine the appropriate mix of IT investments\nregarding these and other organizational and technological considerations. Specifically,\nI-TIPS will allow the user to:\n\n\xef\xbf\xbd\t implement an effective managing and tracking process for selecting, controlling and\n   evaluating IT investments;\n\n\xef\xbf\xbd   apply industry and Government best practices to its IT investment strategy;\n\n\xef\xbf\xbd\t consolidate existing IT data bases and create a single repository for all IT\n   investments;\n\n\xef\xbf\xbd   construct a cost-effective portfolio of IT investments; and\n\n\xef\xbf\xbd\t comply with Federal laws and mandates pertaining to IT investments and the IT\n   capital planning process.\n\nI-TIPS is portable to a variety of operating environments and is in use at several Federal\norganizations.7 The Social Security Administration evaluated using I-TIPS in\nMarch 1999 and elected not to use this software because I-TIPS would result in a\nsignificant data entry workload for the Agency.\n\n\n\n\n7\n The Departments of Housing and Urban Development, Agriculture, and Energy, the General Services\nAdministration, and the Small Business Administration.\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)\n\x0c                                                                                                                    Appendix D\n\n\nProjects With High-Risk Ranking\nWe used General Accounting Office\xe2\x80\x99s8 risk modeling guidelines in making our risk determination. We believe that the\nhigh-risk ranking would have prevented the selection of these systems for investment until the risk became more\nmanageable and returns better quantified.\n\n\n    SEI* Number/       Organizational                                                                         Original\n    Project Name           Risk                  Cost Sensitivity Risk              Schedule Risk            Implement            Revised\n                                                                                                                Date             Implement\nSEI 567                Moderate Risk          High Risk                             Unknown Risk              Unknown             Unknown\nExpanded                                      Project is complex\nElectronic\nWage                                          Cost estimates not refined\nReporting                                     For example, cost increase\n                                              from $15 to $32 million in\n                                              one budget cycle\n\n*SEI - Special expense item\n\n\n\n\n8\n Assessing Risks and Returns: A Guide for Evaluating Federal Agencies\xe2\x80\x99 IT Investment Decision-making, GAO/AIMD-10.1.13, issued\nFebruary 1997 appendix II pp98-103.\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                                                             D-1\n\x0c  SEI\nNumber/                                                                                                  Original    Revised\nProject                                                                                                Implement    Implement\n Name           Organizational Risk          Cost Sensitivity Risk             Schedule Risk               Date         Date\n SEI 529     High Risk                      High Risk                       High Risk                  4 phased   1) 1/99, (still\n  IHRS*                                                                                                release    in pilot)\n                                                                            Project execution likely\n             Significant process            Project is complex              to slip                    10/98      2) 1/00\n             redesign required                                                                                    3) dropped\n                                            Cost estimates not              Project staff is limited   4/99\n             Significant personnel          refined                                                               4) dropped\n             changes needed                                                 in size and experience\n                                                                                                       3/00\n             Other agencies with            For example, cost           Complex project\n             similar projects had           increase from $9.9                                         9/01\n             unanticipated project cost     million from first estimate\n             increases and time delays.     to $16.5 million contract\n                                            award. $16.5 million\n                                            spent only 4 of 16\n                                            business functions\n                                            complete\n Various     High Risk                      High Risk                   High Risk                      Unknown      7 years from\n   SEI                                                                                                              1992 to 1998\nnumbers      Implementation                 Project is complex              Project execution                       RDS** not\n   for       strategy too large             Cost estimates not              likely to slip                          implemented\n Reengi-     Significant process            refined                         Project staff is                        as\n neering     redesign required              For example, project            limited in size and                     envisioned\nDisability   Significant personnel          cost has been about             experience\n System      changes needed                 $70 million to-date and         Complex project\n             Require buy-in from            the project still in the\n             State disability               pilot phase.\n             determination services\n\n*IHRS - Integrated Human Resource System\n**RDS - Re-engineered Disability System\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)                                                       D-2\n\n\x0c                                                                                                                          Appendix E\n\nExternal and Internal Project Costs\nThe Social Security Administration (SSA) spent approximately $118.3 million on the seven projects reviewed, of which\n$77.3 million were external costs and $41 million were internal costs. The Budget Execution Report was the source for\nthe external costs and the Deputy Commissioner for Systems (DCS) was the source for the internally estimated costs.\n\n                                                  External Cost       Internal                                        Internal     DCS Work\n                                                  YTD July 1999   Estimated Cost                                        Cost       Years as of\n Project SEI        RAS          Project                          as of August 14,    Total Cost                      Percent       Aug. 14,\n  Number           Number         Name           ($000\xe2\x80\x99s omitted)       1999       ($000\xe2\x80\x99s omitted)                   to Total        1999\n     567            2611        EWRS                 $ 7,474           $ 2,827         $10,301                           27           40.5\n     145             7871       FACTS                    4,878                  1,874                  6,752              28            27.5\n     702             2590       MI                       1,228                  6,845                  8,073              85            97.1\n                                IWS/LAN\n     704             6412       Policy Net               2,434                    110                  2,544               4             1.5\n     740             5022       Video Conf.              2,792                    699                  3,491              20            10.4\n     529             6863       IHRS                   13,1221                  3,5902                16,712              21            52.7\n    Various        Various      RDS                    45,3743                 25,0244                70,398              36           393.3\nTOTAL COSTS                                    $77,302                       $40,969           $118,271         35         623.0\nSEI - Special expense item                                                          IHRS - Integrated Human Resource System\nRAS - Resource Accounting System                                                     RDS - Re-engineered Disability System\nEWRS - Expanded Electronic Wage Reporting System                                     FACTS - Financial Accounting Tracking System\nMI IWS/LAN - Management information independent\n               work station local area network\n1\n As of August 1999\n\n2\n As of September 18, 1999\n\n3\n As of May 3, 1999. Amount includes \xe2\x80\x9cother SSA labor\xe2\x80\x9d, Non-information technology system (ITS), ITS, and disability determination services\n\n4\n As of May 3, 1999\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)\n\x0c                                                                            Appendix F\n\nAGENCY COMMENTS\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)            1\n\n\x0cMEMORANDUM\n\n\n                                                                                Refer To: SIJ-3\n           March   5,2001\n\nTo:        JamesG. Ruse, Jr.\n           Inspector General\n\n           William A. Halter \':t1Ia \'\xc2\xa5\n           Acting Commissioner of Social Security\n\n           Office of the Inspector General (GIG) Draft Report, "Infonnation Technology Capital Planning\nSubject:\n           and Investment Control Processat the Social Security Administration" (A-14-99-12004)\xc2\xad\n           INFORMA TIGN\n\n\n           Attached are our comments concerning the draft report. Staff questions may be referred to\n           Mark Welch at extension 50374.\n\n           Attachment:\n           SSA Comments\n\x0cCOMMENTS ON THE OFFICE OF THE INSPECTOR GENERAL\xe2\x80\x99S DRAFT REPORT,\n\n\xe2\x80\x9cINFORMATION TECHNOLOGY CAPITAL PLANNING AND INVESTMENT CONTROL\n\nPROCESS AT THE SOCIAL SECURITY ADMINISTRATION\xe2\x80\x9d(A-14-99-12004)\n\n\n\nWe appreciate the opportunity to comment on this draft report.\n\nAs the draft report notes, many of the key Clinger-Cohen Act\n\n(CCA) information technology (IT) management reforms were\n\nalready in place at the Social Security Administration (SSA)\n\nyears before the passage of CCA. In particular, SSA has had an\n\nIT capital planning and investment control (CPIC) process in\n\nplace for many years and is continuing to refine its CPIC\n\nprocess for major IT initiatives. As a result of this\n\ncontinuing refinement, some aspects of the CPIC process\n\nreferenced in the draft report have changed. Our comments on\n\nthe draft report recommendations are provided below.\n\n\nRecommendation 1\n\n\nDevelop a risk model and use it in the strategic planning\n\nprocess for all proposed IT projects. Selection criteria should\n\ninclude weighing risk for cost, benefits, schedule, technical,\n\netc.\n\n\nComment\n\n\nAs part of the refinement of its CPIC process, SSA will explore\n\nmore systematic risk modeling procedures for proposed IT\n\nprojects. We will investigate and document the requirements for\n\na capital planning risk management system. As part of this\n\neffort, SSA will consider the recommendations of the CIO\n\nCouncil, Gartner Group, Carnegie-Mellon University\xe2\x80\x99s Software\n\nEngineering Institute, as well as internal experts. We will\n\nalso evaluate promising commercial off-the-shelf (COTS) decision\n\nsupport tools with risk management capabilities, such as Expert\n\nChoice. Analysis of available risk modeling tools in\n\nconjunction with SSA component requirements will result in a\n\nrecommendation to the Commissioner by the end of the calendar\n\nyear concerning a comprehensive risk assessment and management\n\nstrategy for IT projects.\n\n\nThe draft report identifies three projects (Electronic Wage\n\nReporting System (EWRS), Integrated Human Resources System\n\n(IHRS) and Reengineered Disability System (RDS)) as having high\n\nrisk. It concludes that SSA did not recognize the risks\n\nassociated with these projects, but might have identified them\n\nas high-risk projects if a risk assessment using risk modeling\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)   F-2\n\x0chad been performed. However, the conclusion that SSA did not\n\nrecognize the risks associated with these projects is incorrect.\n\nAlthough a formal risk assessment was not done for these\n\nprojects, the Agency was aware of the risks involved, and it\n\nconsidered these risks in its discussions and decisionmaking.\n\nThe Chief Information Officer (CIO) subjected each of these\n\nprojects to special oversight through incremental investment\n\nreviews.\n\n\nIt is important to recognize that all risks cannot be\n\nanticipated and that the ability to continue and complete\n\nprojects in accordance with plans can be significantly impacted\n\nby factors such as budget constraints, labor issues and\n\npolitical considerations that are beyond the control of an\n\nagency. Moreover, legislative mandates can have a significant\n\nimpact on SSA\xe2\x80\x99s IT project portfolio and on planned IT project\n\ndevelopment and implementation schedules. This is because\n\nlegislative mandates can result in unanticipated, high-priority,\n\nresource-intensive IT projects that must be implemented under\n\ndemanding time constraints. Supporting the implementation of\n\nnew legislation can require the immediate addition of new\n\nprojects to SSA\xe2\x80\x99s IT investment portfolio, the reprioritization\n\nof projects, the reallocation of limited resources from other\n\nprojects to meet legislative mandates, and delays in the planned\n\ndevelopment and implementation schedules for the projects\n\nimpacted.\n\n\nRecommendation 2\n\n\nEvaluate using decision support software (DSS) tools like Expert\n\nChoice to further assist SSA in its selection of IT projects.\n\nExpert Choice allows the user to take the intangibles of\n\ndecisionmaking (experience, insight, and judgment) and weigh\n\nthem against a customized set of criteria.\n\n\nComment\n\n\nAs stated in the response above, SSA will assess Expert Choice\n\nand possibly other DSS tools. However, it is important to note\n\nthat while a DSS tool can ensure that a customized set of\n\nevaluation criteria is used in the IT project selection phase\n\nand provide some documentation of that aspect of the CPIC\n\nprocess, these tools come with their own sets of constraints and\n\nlimitations that may relegate their value and importance to an\n\nancillary role in the overall process. Moreover, human\n\ndecision-makers are capable of assessing project criteria,\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)   F-3\n\x0cdefining parameters and weighing judgments without an automated\n\ntool.\n\n\nRecommendation         3\n\n\nRedesign SSA\xe2\x80\x99s Capital Planning and Investment Control Process\n\nto incorporate the processes for making budget, financial and\n\nprogram management decisions within the Agency into one\n\nintegrated system. SSA could implement this recommendation\n\nthrough the use of the Information Technology Investment\n\nPortfolio System (I-TIPS) software.\n\n\nComment\n\n\nThough an integrated system may enhance the Agency\xe2\x80\x99s CPIC\n\nprocess, Section 5122(b)(2) of the CCA requires an integrated\n\nprocess, rather than an integrated system.\n\n\nWhen SSA reviewed I-TIPS in February 1999 and assessed what\n\nwould be required for its implementation and the improvements I-\n\nTIPS would provide for SSA\xe2\x80\x99s CPIC process, I-TIPS did not\n\nprovide enough benefits to warrant implementation at SSA. Since\n\nthen, the product has matured and SSA is reexamining it.\n\n\nSSA will assess I-TIPS as a tool to collect, analyze and report\n\nIT project accountability information and review Expert Choice,\n\nand possibly other similar COTS packages, for consideration as\n\npartnered tool(s).\n\n\nRecommendation 4\n\n\nDesign and implement an IT project accountability system that\n\n(a) captures all funds spent with budgeted cost;\n\n(b) allows expanded scheduling information like expected versus\n\nactual implementation date, including milestone dates; and\n\n(c) includes performance indicators, such as return on\n\ninvestment or any other benefit measures.\n\n\nComment\n\n\nAs part of our ongoing efforts to enhance our CPIC process, we\n\nwill assess the ability of I-TIPS to interface with SSA\xe2\x80\x99s\n\ncurrent and planned CPIC process support systems to better track\n\nIT project costs, progress and performance and compare actual\n\nresults with those planned. We may also consider other\n\nalternatives for project accountability if appropriate.\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)   F-4\n\x0cRecommendation 5\n\n\nRequire benefits to be quantified and performance measures to be\n\nidentified for major projects in SSA\xe2\x80\x99s strategic planning\n\nguidance.\n\n\nComment\n\n\nSSA\xe2\x80\x99s strategic planning guidance requires benefits to be\n\ndetermined for key initiatives. While the benefits and\n\nperformance measures may not have been well documented for some\n\nprojects, this has been due more to inconsistent performance in\n\nsome cases than to lack of policy and procedures. Even in\n\ninstances where documentation may appear sparse, the Agency has\n\nalways considered benefits and costs in its IT project decision-\n\nmaking, and will place emphasis on better documenting them as\n\npart of the refinement of its CPIC process.\n\n\nRecommendation 6\n\n\n\nRequest management information on the financial accounting of\n\neach project (spent to-date and the amount remaining to be\n\nspent), milestones, and expected implementation date.\n\n\nComment\n\n\nAlthough this management information has historically been\n\nconsidered and will continue to be considered in decision-making\n\non IT projects, we will evaluate whether a system, such as I-\n\nTIPS, is able to enhance our process.\n\n\nRecommendation 7\n\n\nPerform variance analysis and exception reporting on cost and\n\nscheduling time frames.\n\n\nComment\n\n\nOur review of I-TIPS will include an assessment of its ability\n\nto collect, analyze and report IT project accountability\n\ninformation to better track IT project costs, progress and\n\nperformance and compare actual results with those planned.\n\nOther alternatives for achieving this may be considered.\n\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)   F-5\n\x0cRecommendation 8\n\n\nEstablish policies and procedures for conducting post-\n\nimplementation reviews.\n\n\nComment\n\n\nSSA\xe2\x80\x99s target CPIC process includes post-implementation reviews.\n\nThe Agency will establish more detailed policies and procedures\n\nfor conducting post-implementation reviews in 2001.\n\n\nRecommendation 9\n\n\nPerform post-implementation reviews on appropriate IT projects.\n\n\nComment\n\n\nSSA expects to perform post-implementation reviews on\n\nappropriate IT projects, in accordance with its CPIC process.\n\n\nOther Comments\n\n\nThe chart on page 8 of the draft report identifies the EMIS and\n\nshows the "use" and "responsible component" for the system.\n\nBoth should be revised as follows:\n\n\n\xe2\x80\xa2\t The EMIS is used for much more than IT project planning. The\n   scope of the data housed in the EMIS includes data and\n   documents related to various aspects of Government Performance\n   and Results Act (GPRA) strategic planning, GPRA strategic\n   performance management and reporting, project management for\n   important Agency, non-GPRA and non-IT projects, financial\n   information and guidance, and operational statistics. It is\n   not simply an IT project tracking system, but serves broader\n   Agency information and data needs.\n\n\xe2\x80\xa2\t The responsible SSA component for the EMIS is not the Office\n   of Strategic Management; rather it is the Executive Support\n   Staff in the Office of Systems.\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)   F-6\n\x0c                                                                            Appendix G\n\nOIG Contacts and Staff Acknowledgements\nOIG Contacts\n   Kitt Winter, Director, Systems Audit Division, (410) 965-9702\n\n   Albert Darago, Audit Manager, Systems Audit Division\n   (410) 965-9710\n\nAcknowledgments\nIn additions to those named above:\n\n   Randy Townsley, Senior Auditor\n\n   Kimberly Beauchamp, Writer-Editor, Policy, Planning and Technical Services\n   Division\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)\n\x0c                             DISTRIBUTION SCHEDULE\n\n\n                                                                              No. of\n                                                                             Copies\n\nCommissioner of Social Security\n                                                  1\nManagement Analysis and Audit Program Support Staff, OFAM\n                       10\nInspector General\n                                                                1\nAssistant Inspector General for Investigations\n                                   1\nAssistant Inspector General for Executive Operations\n                             3\nAssistant Inspector General for Audit\n                                            1\nDeputy Assistant Inspector General for Audit\n                                     1\n  Director, Systems Audit Division\n                                               1\n  Director, Financial Management and Performance Monitoring Audit Division        1\n  Director, Operational Audit Division                                            1\n  Director, Disability Program Audit Division                                     1\n  Director, Program Benefits Audit Division                                       1\n  Director, General Management Audit Division                                     1\nIssue Area Team Leaders\n                                                         25\nIncome Maintenance Branch, Office of Management and Budget\n                       1\nChairman, Committee on Ways and Means\n                                            1\nRanking Minority Member, Committee on Ways and Means\n                             1\nChief of Staff, Committee on Ways and Means\n                                      1\nChairman, Subcommittee on Social Security\n                                        2\nRanking Minority Member, Subcommittee on Social Security\n                         1\nMajority Staff Director, Subcommittee on Social Security\n                         2\nMinority Staff Director, Subcommittee on Social Security\n                         2\nChairman, Subcommittee on Human Resources\n                                        1\nRanking Minority Member, Subcommittee on Human Resources\n                         1\nChairman, Committee on Budget, House of Representatives\n                          1\nRanking Minority Member, Committee on Budget, House of Representatives            1\nChairman, Committee on Government Reform and Oversight                            1\nRanking Minority Member, Committee on Government Reform and Oversight             1\nChairman, Committee on Governmental Affairs                                       1\nRanking Minority Member, Committee on Governmental Affairs                        1\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)\n\x0cChairman, Committee on Appropriations, House of Representatives              1\nRanking Minority Member, Committee on Appropriations,\n House of Representatives                                                    1\nChairman, Subcommittee on Labor, Health and Human Services, Education\n and Related Agencies, Committee on Appropriations,\n House of Representatives                                                    1\nRanking Minority Member, Subcommittee on Labor, Health and Human\n Services, Education and Related Agencies, Committee on Appropriations,\n House of Representatives                                                    1\nChairman, Committee on Appropriations, U.S. Senate                           1\nRanking Minority Member, Committee on Appropriations, U.S. Senate            1\nChairman, Subcommittee on Labor, Health and Human Services, Education\n and Related Agencies, Committee on Appropriations, U.S. Senate              1\nRanking Minority Member, Subcommittee on Labor, Health and Human\n Services, Education and Related Agencies, Committee on Appropriations,\n U.S. Senate                                                                  1\nChairman, Committee on Finance                                               1\nRanking Minority Member, Committee on Finance                                1\nChairman, Subcommittee on Social Security and Family Policy                  1\nRanking Minority Member, Subcommittee on Social Security and Family Policy   1\nChairman, Senate Special Committee on Aging                                  1\nRanking Minority Member, Senate Special Committee on Aging                   1\nVice Chairman, Subcommittee on Government Management Information\n  and Technology                                                             1\nPresident, National Council of Social Security Management Associations,\n  Incorporated                                                                1\nTreasurer, National Council of Social Security Management Associations,\n  Incorporated                                                                1\nSocial Security Advisory Board                                                1\nAFGE General Committee                                                        9\nPresident, Federal Managers Association                                      1\nRegional Public Affairs Officer                                              1\n\n\nTotal                                                                        97\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)\n\x0c               Overview of the Office of the Inspector General\n\n                                      Office of Audit\nThe Office of Audit (OA) conducts comprehensive financial and performance audits of\nthe Social Security Administration\xe2\x80\x99s (SSA) programs and makes recommendations to\nensure that program objectives are achieved effectively and efficiently. Financial audits,\nrequired by the Chief Financial Officers Act of 1990, assess whether SSA\xe2\x80\x99s financial\nstatements fairly present the Agency\xe2\x80\x99s financial position, results of operations, and cash\nflow. Performance audits review the economy, efficiency, and effectiveness of SSA\xe2\x80\x99s\nprograms. OA also conducts short-term management and program evaluations focused\non issues of concern to SSA, Congress, and the general public. Evaluations often focus\non identifying and recommending ways to prevent and minimize program fraud and\ninefficiency.\n\n                               Office of Executive Operations\nOEO supports the OIG by providing information resource management; systems\nsecurity; and the coordination of budget, procurement, telecommunications, facilities\nand equipment, and human resources. In addition, this office is the focal point for the\nOIG\xe2\x80\x99s strategic planning function and the development and implementation of\nperformance measures required by the Government Performance and Results Act.\nOEO is also responsible for performing internal reviews to ensure that OIG offices\nnationwide hold themselves to the same rigorous standards that we expect from SSA,\nas well as conducting investigations of OIG employees, when necessary. Finally, OEO\nadministers OIG\xe2\x80\x99s public affairs, media, and interagency activities, coordinates\nresponses to Congressional requests for information, and also communicates OIG\xe2\x80\x99s\nplanned and current activities and their results to the Commissioner and Congress.\n\n\n                                 Office of Investigations\nThe Office of Investigations (OI) conducts and coordinates investigative activity related\nto fraud, waste, abuse, and mismanagement of SSA programs and operations. This\nincludes wrongdoing by applicants, beneficiaries, contractors, physicians, interpreters,\nrepresentative payees, third parties, and by SSA employees in the performance of their\nduties. OI also conducts joint investigations with other Federal, State, and local law\nenforcement agencies.\n\n                          Counsel to the Inspector General\nThe Counsel to the Inspector General provides legal advice and counsel to the\nInspector General on various matters, including: 1) statutes, regulations, legislation,\nand policy directives governing the administration of SSA\xe2\x80\x99s programs; 2) investigative\nprocedures and techniques; and 3) legal implications and conclusions to be drawn from\naudit and investigative material produced by the OIG. The Counsel\xe2\x80\x99s office also\nadministers the civil monetary penalty program.\n\n\n\n\nIT Capital Planning and Investment Control Process at SSA (A-14-99-12004)\n\x0c'